MCTS 70-640 Cert Guide: Installing Active Directory Domain Services

This chapter is from the book 

Foundation Topics

Planning the Active Directory Namespace

As discussed in Chapter 1, "Getting Started with Active Directory," the domain is the primary administrative unit within an Active Directory namespace. Windows Server 2008 uses the concept of domains to separate available resources among registered users. It is also the basic security unit, as you will see throughout this book, because many of the security requirements in Active Directory are focused at the domain level. Therefore, it is important to begin the process of planning any company's Active Directory Domain Services (AD DS) namespace from the viewpoint of the domain structure.

All planning starts from the name of your company's root domain. Recall in Chapter 1 that each tree has a root domain that is located at the top of the inverted tree structure. All subdomains contain this root domain name in their own domain names. In addition, the first domain in the entire forest is not only a root domain, it is also the forest root. Also, the top-level domain names used on the Internet and defined in the DNS hierarchy are included. The latter is not an absolute requirement if you are planning a domain that has no Internet representation whatsoever, but what company these days does not have a presence on the Internet?

Therefore, it makes sense that your root domain can take the same name as your Internet domain name as registered with InterNIC (Internet Network Information Center). Consider a fictional company with an Internet domain name of mycompany.biz. Although you can use this name as your AD DS root domain name, it creates a risk of revealing your company's AD DS structure to the public Internet. Consequently, you might want to keep the internal name separate and use something like mycompany.local for the AD DS root domain name of the same fictional company.

Subdividing the Active Directory Namespace

You can subdivide your namespace within Active Directory in two ways:

• Separate domains
• Organizational units (OUs)

In many instances, the use of separate domains or OUs would serve just as well as the other. In larger companies, the use of separate domains often arose from the limitations of the Security Accounts Manager (SAM) database in Windows NT. Because the AD DS database can hold millions of objects, this limitation is seldom of importance in AD DS design. For this reason, and because a single domain structure is the easiest type of structure to administer, this method is the best means of organizing your company's namespace if possible. There is no specific need to create separate domains for administrative functions, geographical sites, or departments in the company. Logically, you can handle this function by setting up a system of OUs. An internal system of OUs provides the following additional advantages:

• It can be administered either centrally or locally. The concept of delegation of control in AD DS facilitates the assignment of individuals as local administrators.
• User authentication is simpler and faster within a single domain environment, regardless of where a user is located.
• It is far simpler to modify when needed—for example, if your company is reorganized.
• It is flexible and can include an internal hierarchy of departments, sections, work units, and so on.

There are, however, reasons for using separate domains for discrete divisions of your company:

• This approach can facilitate decentralized administration of network resources.
• In the case of multiple Internet domain names, the domain can be built to mirror the Internet functionality.
• Multiple domains representing different geographical locations might reduce the amount of replication traffic across low wide area network (WAN) links.
• User account requirements that vary among departments or locations, such as password complexity, are more easily handled with separate domains.
• International legal and language needs might be handled more easily by using separate domains.
• Very massive organizations can be broken down into a domain structure.

Administrative or Geographical Organization of Domains

You can organize a series of domains along either administrative or geographical means. For example, Figure 3-1 shows mycompany.biz organized along three administrative divisions—Accounting, Products, and Advertising—all reporting to a Management group, contrasted with the company's main offices located in San Francisco, Dallas, Toronto, and Atlanta.

You need to take into account conditions that favor either the administrative or geographical model. This can include the following factors:

• Plans for future offices in additional cities
• Projected growth of each of the company's divisions
• Potential for reorganization of the company along new departmental lines
• Requirements for centralized or decentralized administration of the company
• Needs for different security levels in either certain departments or certain offices
• Current or future use of one or more Internet DNS namespaces

Such factors suggest the best domain organization for your company's AD DS namespace.

Use of Multiple Trees

Within the AD DS forest, you can have one or more trees. As outlined in Chapter 1, the main difference between trees and forests is that domains within a tree share a contiguous namespace, whereas domains located in different trees in the same forest have a disjointed namespace. Thus, que.com and examcram.com are root domains in two separate trees of the same forest.

In almost all multiple domain enterprises, it makes sense to employ a single tree. The major exception occurs when two companies merge and want to maintain their separate identities. Their identities, and indeed their Internet namespaces, are best served by having more than one tree in the forest.

Best Practices

Planning the AD DS domain structure is an act that has far-reaching implications. This process is something that cannot simply be decided by a few network administrators sitting down with a few diagrams of the network and company business structures. Rather, it must involve the company's senior and middle management as well as business strategy specialists and representatives from remote offices. If you use internally developed applications, representatives of the development team should be involved. The following guidelines will help you make your AD DS implementation proceed smoothly:

• Know everything there is to know about the network: Although this guideline might sound intuitive for senior administrators who have built the network from the ground up, those who have come on the scene more recently need to gather information about everything that must be accounted for in an AD DS plan.
• Employ a test lab: The lab should contain representative domain controllers, member servers, and client computers. Set up a mini version of your complete network and engage the assistance of a representative set of users to test all facets of the implementation thoroughly.
• Prepare thorough documentation: This point can never be understated. Use tools such as Microsoft Visio to prepare diagrams of different levels of company detail, from the major administrative units down to the smallest workgroups. Visio is a tool that is specifically designed for preparing administrative diagrams such as those required in this scenario. This exercise also helps in optimizing communication between technical individuals and top management.
• Use an email distribution list to keep everyone informed: When all concerned individuals have full access to the latest developments, unpleasant surprises are minimized.
• Keep all employees informed: Although the regular workers might not understand the details of what is happening, they should be informed of the summary points of any planned changes. They will then be much more able to cope with the changes. In addition, they could provide valuable feedback.
• Ensure that all top managers know what's happening: This point also can never be understated. This helps prevent unpleasant surprises and the need to redo portions of the planning process.
• Understand thoroughly the network's TCP/IP infrastructure: Your understanding helps in designing the network and DNS configuration that is the foundation of the AD DS infrastructure. It is especially true in developing the proper site structure, as will be discussed in Chapter 6, "Configuring Active Directory Sites and Replication."
• Develop and adhere to an adequate security policy: Thoroughly review any security policy that your company already has in place. Apply the policy's constraints to the proper design of your company's domain structure. Make any appropriate changes as you develop the AD DS infrastructure.
• Know the capabilities of your WAN links: If your network includes slow WAN links, test and monitor the use of these links before and during the AD DS implementation to ensure that you have the optimum configuration.

Creating Forests and Domains

After you have created a comprehensive plan for your organization's AD DS structure, you are almost ready to begin the installation. The first task that you must perform is to install the first domain controller for the forest root domain.

Requirements for Installing Active Directory Domain Services

Before you can install AD DS, you must have at least one server that meets the following requirements:

• Operating system: The server must be running the Foundation, Standard, Enterprise, or Datacenter edition of Windows Server 2008 R2. Note that a server running the Web edition cannot act as a domain controller.
• Adequate hard disk space: Beyond the space used for installing Windows Server 2008 R2, the server must have a minimum of 500 MB of disk space for the Active Directory database and SYSVOL folder, plus at least 100 MB for the transaction log files. The larger the proposed network, the more disk space is necessary. And in practical terms, you should have several gigabytes of available space at a minimum. In Windows Server 2008 R2, you should have additional disk space for the following reasons:
  • - The online defragmentation process is changed in Windows Server 2008 R2.
  • - Windows Server 2008 R2 domain controllers have additional indices on the large link table.
  • - The Active Directory Recycle Bin in Windows Server 2008 R2 holds deleted objects and their attributes until cleared.
• A disk volume formatted with the NTFS file system: This ensures security of the database; furthermore, it is required for the SYSVOL folder. Windows Server 2008 R2 creates an NTFS partition by default when installed.

  TIP

  It is strongly recommend that you use a fault-tolerant disk volume such as RAID-1 (disk mirroring) or RAID-5 (disk striping with parity) for the Active Directory files. This enables the domain controller to function in the event of a disk failure, until the failed disk can be replaced. However, fault-tolerant disks are no substitute for regular backups of Active Directory. Backups are discussed in Chapter 15, "Maintaining Active Directory."

• A DNS server: Active Directory requires that a DNS server that supports service (SRV) resource records be present. This can be any server running Windows 2000 or later or a UNIX server running Berkeley Internet Name Domain (BIND) 4.9.7 or later. If you want to integrate the DNS database with Active Directory, you should install DNS on the same server that you install AD DS. If the Active Directory Installation Wizard cannot find a suitable DNS server, you will be prompted to install one. DNS is discussed in Chapter 2, "Installing and Configuring DNS for Active Directory," and Chapter 4, "Configuring DNS Server Settings and Replication."
• Administrative privileges: You must be logged on with an account that has the appropriate administrative privileges. For the first domain controller, this is a local administrator. To add a domain to an existing forest, you must be a member of the Enterprise Admins group in this forest; to add a domain controller to an exiting domain, you must be a member of the Domain Admins or Enterprise Admins group in this domain. Group memberships are discussed in Chapter 9, "Active Directory User and Group Accounts."

Installing Active Directory Domain Services

As in Windows 2000 and Windows Server 2003, Active Directory provides the Active Directory Installation Wizard (dcpromo.exe) that handles all aspects of installing or removing Active Directory. Windows Server 2008 is different from previous Windows Servers in that you install AD DS first and then install a domain controller. You can install AD DS without installing a domain controller if you are configuring your server for a directory-related application such as Exchange Server. This section looks at the use of this wizard for installing different types of domain controllers.

You can start the Active Directory Installation Wizard from the Add Roles Wizard in Server Manager or directly from the dcpromo.exe command. The following sections describe the use of the Add Roles Wizard for installing AD DS.

New Forests

As already noted, the first domain installed is the root domain in its forest. You must be a local administrator on the server on which you install Active Directory to proceed. The following procedure describes the installation of the first domain:

• Step 1. In the Add Roles Wizard, select Active Directory Domain Services and then click Next.
• Step 2. If you receive a message box labeled Add features required for Active Directory Domain Services and asking you to install .NET Framework 3.5.1, click Add Required Features.
• Step 3. The wizard displays the Introduction to Active Directory Domain Services page shown in Figure 3-2. Make note of the points displayed by this page. If you want additional details regarding installation of Active Directory, click any of the links provided. When finished, click Next.
  

  Figure 3-2 You can use the Add Roles Wizard to begin the installation of AD DS.

• Step 4. Note the information provided on the Confirm Installation Selections page and then click Install to begin installing Active Directory.
• Step 5. The wizard displays an Installation Progress page that charts the progress of installation. After a few minutes, it informs you that the AD DS role has been installed successfully and that you need to launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). Click Close to exit the wizard and return to Server Manager.
• Step 6. Scroll down to the Roles Summary section of Server Manager. Note that Active Directory Domain Services is shown as having been installed. A message marked with a red X indicates the number of system services that are not running.
• Step 7. Click this message. You are informed that the server is not yet running as a domain controller. Click the link provided to start the AD DS Installation Wizard.
• Step 8. This wizard opens with a Welcome page. Click Next.
• Step 9. The Operating System Compatibility page shown in Figure 3-3 informs you that Windows Server 2008 R2 security settings affect how older versions of Windows communicate with the domain controller. Access the Knowledge Base article quoted for more information. Click Next to proceed with AD DS installation.
  

  Figure 3-3 You are informed about security settings that prevent some older Windows clients or non-Windows systems from logging on to the Windows Server 2008 R2 domain controller.

• Step 10. On the Choose a Deployment Configuration page shown in Figure 3-4, select Create a new domain in a new forest and then click Next. On this page, you would select the Existing forest option when creating a new domain in an existing forest or adding a domain controller to an existing domain. These options are discussed later in this chapter.
  

  Figure 3-4 The wizard provides options for installing a domain controller in an existing forest or a new one.

• Step 11. Type the full DNS name of the forest root domain and then click Next.

  NOTE

  Windows Server 2008 R2 no longer supports the creation of single-label domain names; however, you can still upgrade existing single-label domains to Windows Server 2008 R2. For more information, refer to "Information about configuring Active Directory domains by using single-label DNS names" at http://support.microsoft.com/kb/300684.

• Step 12. The wizard verifies the forest and NetBIOS names and then displays the Set Forest Functional Level page shown in Figure 3-5. Select the appropriate forest functional level and then click Next. The available domain and forest functional levels are discussed later in this chapter.
  

  Figure 3-5 The wizard enables you to select from four forest functional levels.

• Step 13. Select a domain functional level and then click Next.
• Step 14. The Additional Domain Controller Options page provides the following additional options that you can install for the domain controller. Ensure that DNS Server is selected and then click Next.
  • - DNS Server: Installs DNS on this server. This option is selected by default when first installing AD DS because DNS is required for Active Directory.
  • - Global Catalog: Installs a Global Catalog server. This option is not available but selected when installing the first domain controller in any domain because this server must be a global catalog server.
  • - Read-Only Domain Controller (RODC): Installs an RODC. This option is not available because the first domain controller cannot be an RODC. Installing an RODC is discussed in Chapter 8, "Read-Only Domain Controllers."
• Step 15. If the server does not have a statically assigned IP address, you are informed of this fact. A domain controller (and in particular, one that is configured as a DNS server) should always have a statically assigned IP address to ensure that client computers can always reach it. Select Yes, open the IP properties so that I can assign a static IP address to the network adapter, and then configure an appropriate IP address, subnet mask, default gateway, and default DNS server address.
• Step 16. If you receive a message informing you that a delegation for the DNS server will not be created, click Yes to continue. You might receive this message if you are installing DNS on this server. If so, you should manually create this delegation later.
• Step 17. Confirm the locations provided for the database, log files, and SYSVOL folders. If you want to change any of these locations, type the desired path or click Browse. When finished, click Next.

  TIP

  When setting up a domain controller on a production network, it is advisable to place the database and log folders on a separate drive from the SYSVOL folder. The reason for doing so is to improve only I/O performance; this does not improve security or fault tolerance, as an exam question might lead you to believe.

• Step 18. On the Directory Services Restore Mode Administrator Password page, type and confirm a secure password. Make a careful note of the password you typed in case you need to use it later and then click Next.
• Step 19. The wizard provides a Summary page as shown in Figure 3-6. Review the information provided on the Summary page. If you want to change any settings, click Back and make the appropriate changes. If you want to export information to an answer file, click Export settings and provide an appropriate path and filename. Then click Next to configure AD DS. This process takes several minutes.
  

  Figure 3-6 The wizard provides a summary page that enables you to review the settings you've specified.

• Step 20. When the completion page appears, click Finish and then click Restart Now to reboot your server. To reboot the server automatically, select the Reboot on Completion check box.

New Domains in Existing Forests

After you have installed the forest root domain, you can add additional child domains or domain trees to the forest. Either procedure is similar to the procedure already outlined for creating a forest root domain, as follows:

• Step 1. Follow the procedure to install AD DS and start the Active Directory Installation Wizard as described in the previous section until you receive the Choose a Deployment Configuration page previously shown in Figure 3-4.
• Step 2. On this page, select Existing forest, and then select Create a new domain in an existing forest. Then click Next.
• Step 3. On the Network Credentials page, type the name of the parent domain in which you want to install a child domain. Then click Set and specify the username and password of an account with the appropriate privileges described earlier in this chapter and click Next.
• Step 4. On the Name the New Domain page shown in Figure 3-7, type the name of the parent and child domains in the spaces provided. The new domain will be created as a child domain or new tree automatically depending on the name you provide. Then click Next.
  

  Figure 3-7 You create a child domain name from the name of the parent domain and the new top-level name on the Name the New Domain page.

• Step 5. On the Set Domain Functional Level page, select the required functional level and then click Next. Domain functional levels are discussed later in this chapter.
• Step 6. On the Select a Site page, select an appropriate site and then click Next. Sites are discussed in Chapter 6.
• Step 7. Complete the installation of the domain controller according to steps 14–20 of the previous procedure.

Existing Domains

Installing additional domain controllers in an existing domain is important for the following reasons:

• Doing so adds fault tolerance and load balancing to the domain. In other words, additional domain controllers help share the load and improve performance.
• Users logging on to the domain can connect to any available domain controller for authentication.
• Users at a remote location can connect to a domain controller at their site rather than making a slow connection across a WAN link.
• If a domain controller should become unavailable because of a network or hardware failure, users can still log on to the domain.

To install an additional domain controller in an existing domain, follow the same procedure as in the previous section, except select the Add a domain controller to an existing domain option shown in Figure 3-4. Then select the proper domain from the Select a Domain page (this page will display all available domains in the forest). The remainder of the procedure is the same as that for creating a new domain in an existing forest, except that the Set Domain Functional Level page does not appear.

Performing Unattended Installations of Active Directory

Windows Server 2008 R2 enables you to specify parameters for Active Directory installation in an answer file that you can use to facilitate the installation of multiple domain controllers. This file is formatted as a simple text file containing the statement [DCINSTALL] on the first line followed by statements in the form option=value. Table 3-2 describes several of the more common options you can use in this file:

Table 3-2. Several Options Used for Unattended Domain Controller Installation

Option	Value	Meaning
UserName	Username of administrative user	Installs the domain controller in the context of this user.
Password	User's password | *	Specifies the password of the user installing the domain controller. Use * to prompt for the password.
ReplicaOrNewDomain	Domain | Replica | ReadOnlyReplica	Specifies whether to install a new domain, an additional domain controller (replica) in an existing domain, or an RODC in an existing domain.
ReplicaDomainDNSName	Existing domain name	Specifies the fully qualified domain name (FQDN) of the domain in which you are installing an additional domain controller.
NewDomain	Forest | Tree | Child	Specifies whether to install a new forest, a new tree in an existing forest, or a child domain.
NewDomainDNSName	Domain name to be created	Specifies the FQDN for a new domain.
ParentDomainDNSName	Parent domain name	Specifies the FQDN of the parent domain when creating a child domain.
ChildName	Child domain name	Specifies the top-level DNS name of the child domain. This name is prefixed to the parent name to create the FQDN of the child domain.
ForestLevel	0 | 2 | 3 | 4	Specifies the forest functional level of a new forest: 0 = Windows 2000 2 = Windows Server 2003 3 = Windows Server 2008 4 = Windows Server 2008 R2
DomainLevel	0 | 2 | 3 | 4	Specifies the domain functional level of a new domain. Parameters have the same meaning as just described.
InstallDNS	Yes | No	Specifies whether a DNS server is installed.
ConfirmGC	Yes | No	Specifies whether the domain controller is installed as a global catalog server.
DatabasePath	Path to database folder	Default is %systemroot%\NTDS.
LogPath	Path to log folder	Default is %systemroot%\NTDS.
SysvolPath	Path to SYSVOL folder	Default is %systemroot%\SYSVOL.
RebootOnCompletion	Yes | No	Specifies whether to restart the computer on completion, regardless of success.

Many additional options are available, including options specific to the demotion of domain controllers. For additional information, consult "Appendix of Unattended Installation Parameters" at http://technet.microsoft.com/en-us/library/cc732086(WS.10).aspx.

To perform an unattended installation of a domain controller, open a command prompt and type the following command:

 dcpromo /answer: path_to_answer_file 

where path_to_answer_file specifies the complete path to the unattended answer file containing the parameters specified in Table 3-2. You can also include any of these parameters in the command line by prefixing each of them with the "/" character. The output to the command prompt will track the progress of the promotion, and then the server will automatically reboot if the RebootOnCompletion parameter has been specified.

Server Core Domain Controllers

You cannot use Server Manager or a simple execution of dcpromo to promote a Server Core machine to a domain controller. You must use an unattended installation answer file in a similar manner to that described in the previous section. This file must include the information required to identify the domain being joined, including the username and password for a domain administrator account.

Removing Active Directory

The Active Directory Installation Wizard also enables you to remove Active Directory from a domain controller, thereby demoting it to a member server. Proceed as follows:

• Step 1. Click Start > Run, type dcpromo, and then press Enter.
• Step 2. Windows checks whether Active Directory Domain Services is installed and then displays the Welcome page. Click Next.
• Step 3. If you receive a message warning you of the effects of removing a global catalog server, click OK.
• Step 4. You receive the Delete the Domain page shown in Figure 3-8. Note all the warnings displayed about the effects of removing a domain. Select the check box only if you are removing the last domain controller from its domain and then click Next.
  

  Figure 3-8 When you demote a domain controller, you are warned of the effects of deleting the domain.

• Step 5. You receive the Application Directory Partitions page if the server holds the last replica of any application directory partitions. Click Next, select the check box labeled Delete all application directory partitions on this Active Directory domain controller, and then click Next again to remove the application directory partitions.
• Step 6. Type and confirm a password for the local Administrator account on the server, and then click Next.
• Step 7. Read the information provided on the Summary page. If you need to make any changes, click Back. When ready, click Next to demote the server.
• Step 8. When the demotion is finished, click Finish and then click Restart now to restart the server. To reboot the server automatically, select the Reboot on Completion check box.

Interoperability with Previous Versions of Active Directory

Many organizations have created Active Directory domains based on Windows 2000 or Windows Server 2003 domain controllers and are now in a position to take advantage of the new features of Windows Server 2008 and Windows Server 2008 R2 Active Directory. You can add new Windows Server 2008 domain controllers to an existing older Active Directory forest or upgrade all domain controllers in the forest to Windows Server 2008.

As summarized in Chapter 1, Active Directory in Windows Server 2008 and Windows Server 2008 R2 introduces numerous additional features not supported by previous versions of Windows Server. Many of these features limit the interoperability of Windows Server 2008 with previous versions, and Microsoft has extended the concept of domain and forest functional levels to define the actions that can be done on a network that includes older domain controllers.

This section looks at these functional levels and the tools used for upgrading an older Active Directory network to Windows Server 2008.

Forest and Domain Functional Levels

As you noticed when installing your first domain controller (refer to Figure 3-5), Table 3-3 summarizes the forest and domain functional levels supported by Active Directory in Windows Server 2008.

Table 3-3. Forest and Domain Functional Levels in Windows Server 2008 R2 Active Directory

Forest Functional Level	Domain Functional Levels Supported	Domain Controllers Supported
Windows 2000 native	Windows 2000 native Windows Server 2003 native Windows Server 2008 native Windows Server 2008 R2 native	Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
Windows Server 2003 native	Windows Server 2003 native Windows Server 2008 native Windows Server 2008 R2 native	Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
Windows Server 2008 native	Windows Server 2008 native Windows Server 2008 R2 native	Windows Server 2008 Windows Server 2008 R2
Windows Server 2008 R2 native	Windows Server 2008 R2 native	Windows Server 2008 R2

To make use of the functionality provided by Windows Server 2008 Active Directory, you must upgrade all domain controllers to Windows Server 2008 and upgrade the functional levels accordingly. A domain running at the Windows Server 2008 domain functional level located in a forest running at a lower functional level supports domain-based Windows Server 2008 Active Directory features but not forest-based ones.

Furthermore, to make use of the newest Active Directory features in Windows Server 2008 R2, you must upgrade all domain controllers to Windows Server 2008 R2 and upgrade the domain and forest functional levels accordingly.

Windows Server 2008 does not support the Windows 2000 mixed functional level previously found in older Active Directory networks. If you still have any domain controllers running Windows NT 4.0, you must upgrade or remove these domain controllers before introducing a Windows Server 2008 or Windows Server 2008 R2 domain controller on your network.

Upgrading Domain and Forest Functional Levels

To raise the forest functional level, you must first raise the functional level of all domains in the forest to the same or higher domain functional level. To raise the domain functional level, perform any of the following three actions:

• Open the Active Directory Administrative Center snap-in, right-click your domain, and then choose Raise the domain functional level.
• Open the Active Directory Users and Computers snap-in. Right-click Active Directory Users and Computers and choose All Tasks > Raise domain functional level.
• Open the Active Directory Domains and Trusts snap-in, right-click your domain, and choose Raise domain functional level.

In the dialog box shown in Figure 3-9, select the appropriate functional level and click Raise. Then click OK to accept the warning that is displayed.

To raise the forest functional level, access the Active Directory Domains and Trusts snap-in. Right-click Active Directory Domains and Trusts and select Raise forest functional level. Select the appropriate functional level, click Raise, and then click OK to accept the warning that is displayed. You can also right-click your domain name in the Active Directory Administrative Center and choose Raise the forest functional level and then follow the same procedure described here.

The Adprep Utility

Microsoft provides the Adprep utility to prepare a down-level Active Directory domain for receiving Windows Server 2008 and Windows Server 2008 R2 domain controllers. Found in the \sources\adprep folder of the installation DVD-ROM, this tool prepares the forest and domain by extending the Active Directory schema and updating several required permissions.

Running the Adprep /forestprep Command

You must run the Adprep /forestprep command on the schema master of the forest first. It extends the schema to receive the new Windows Server 2008 enhancements, including the addition of directory descriptors for certain objects including granular password policies. You have to run this command and let its changes replicate throughout the forest before you run the Adprep /domainprep command. To run this command, you must be a member of the Enterprise Admins, Schema Admins, and Domain Admins groups in the forest root domain.

Running the Adprep /domainprep Command

Run the Adprep /domainprep command on the infrastructure master of each domain in which you plan to introduce Windows Server 2008 domain controllers. It adjusts access control lists (ACLs) on Active Directory objects and on the SYSVOL shared folder for proper access by Windows Server 2008 domain controllers. To run this command, you must be a member of the Domain Admins group in the respective domain and the domain must be operating at the Windows 2000 Server native mode or higher.

You can also run the Adprep /domainprep /prep command to include updates required for enabling Resultant Set of Policy (RSoP) planning mode functionality.

Upgrading a Windows Server 2003 Domain Controller

You can also upgrade an existing Windows Server 2003 domain controller to Windows Server 2008. See Appendix B, "Installing Windows Server 2008 R2," for information on upgrading Windows Server 2003 computers; the procedure outlined in this chapter automatically upgrades AD DS to Windows Server 2008. However, you cannot upgrade a Windows 2000 domain controller to Windows Server 2008 directly; you must first upgrade to Windows Server 2003 and then to Windows Server 2008.

Note that to upgrade a Windows Server 2003 domain controller to Windows Server 2008, you must first run the Adprep utility as already discussed to upgrade the schema for accepting Windows Server 2008 domain controllers.

You can upgrade a Windows Server 2003 domain controller to Windows Server 2008 R2, provided the server meets the hardware requirements discussed in Appendix B.

Before upgrading the first Windows Server 2003 domain controller, ensure that you have run the Adprep /forestprep and Adprep /domainprep commands and that these commands have completed without error. Then select the Install now command from the Welcome screen displayed by the Windows Server 2008 R2 DVD-ROM, and follow the instructions provided by the Installation Wizard and summarized in Appendix B, "Memory Tables".

Additional Forest and Domain Configuration Tasks

This section introduces two additional configuration tasks specified in the Exam 70-640 objectives for configuring a forest or domain: use of the Active Directory Migration Tool (ADMT) v.3.1 and the alternative user principal name (UPN) suffix. Before introducing these tasks, we take a quick look at some procedures that verify that AD DS has been properly installed and, in doing so, introduce some to the administrative tools included with AD DS.

Verifying the Proper Installation of Active Directory

After you have installed Active Directory, there are several steps you should perform to verify that the proper components have been installed. Click Start > Administrative Tools. On a Windows Server 2008 R2 computer, you should see links to five Active Directory management tools: Active Directory Administrative Center, Active Directory Domains and Trusts, Active Directory Module for Windows PowerShell, Active Directory Sites and Services, and Active Directory Users and Computers. You should also see a link to the DNS snap-in unless you have specified another server as the DNS server for your domain.

Open Active Directory Users and Computers. You should see the default containers Builtin, Computers, ForeignSecurityPrincipals, Managed Service Accounts, and Users under the domain you have created. You should also see a default Domain Controllers OU. Select this OU and verify that computer accounts for all domain controllers in the domain are present, as shown in Figure 3-10.

On a Windows Server 2008 R2 computer, open Active Directory Administrative Center. As shown in Figure 3-11, this new MMC snap-in enables you to perform a large range of administrative tasks on your domain, including the following:

• Creating and managing user, group, and computer accounts
• Creating and managing OUs and other Active Directory containers
• Managing other trusted AD DS domains
• Using query-building searches to filter AD DS data

Uses of this tool will be discussed throughout this Cert Guide as appropriate, together with references to tools used on Windows Server 2008 computers that are not running R2.

The Active Directory Administrative Center is installed automatically when you install the AD DS server role in Windows Server 2008 R2. You can also install this tool on a Windows Server 2008 R2 member server or a Windows 7 computer by installing the Remote Server Administration Tools (RSAT) feature. You cannot, however, install Active Directory Administrative Center on a computer running the original version of Windows Server 2008 or on older versions of Windows Server.

Active Directory Migration Tool v.3.1

ADMT v.3.1 is the most recent version of a utility, available for download from the Microsoft website, which assists you in migrating objects such as users, groups, and computers between Active Directory domains in the same forest or in different forests. This tool assists you in the potentially difficult task of restructuring your AD DS forest structure; for example, when changes in your organization's business structure occur because of mergers, acquisitions, or divestitures. You can migrate these objects from a source domain running at any functional level of Windows 2000 native or higher to a target domain running at any functional level of Windows 2000 native or higher. If the source and target domains are in different forests, you must configure trust relationships between the domains in use to ensure data security during the migration process.

Actions performed by ADMT include the following:

• Ensures security of objects being migrated by using 128-bit encryption with the Passport Export Server (PES) service
• Preserves the SID history of objects being migrated
• Enables migration of user profiles
• Migrates computer accounts including domain controllers
• Enables the restructuring of Active Directory domains between forests
• Enables you to use a preconfigured SQL database to hold migration information
• Enables you to perform test migrations so that you can ensure the actual migration will run properly
• Provides a log file that you can check for migration errors and other problems
• Provides for rollback options in the event that the migration does not proceed properly
• Facilitates the decommissioning of old domains in forests to be removed

ADMT 3.1 runs on a server running the original edition of Windows Server 2008 only; it does not run on Windows Server 2008 R2. To use ADMT 3.1, navigate to http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en and click the Download button. Then follow the instructions provided to download and save the admtsetup31.exe file to an appropriate location on your computer. Double-click the file, click Run, and then follow the instructions provided to install ADMT 3.1.

Alternative User Principal Name Suffixes

As mentioned earlier in this chapter, a UPN is a logon name specified in the format of an email address such as user@examcram.com. It is a convenient means of logging on to a domain from a computer located in another domain in the forest or a trusted forest. Two types of UPNs are available:

• Implicit UPN: This UPN is always in the form user@domain , such as peter@sales.que.com. It is defined on the Account tab of a user's Properties dialog box in Active Directory Users and Computers.
• Explicit UPN: This UPN is in the form string1@string2 , where an administrator can define values for each string. For example, a user named Peter in the sales.que.com domain could have an explicit UPN in the form peter@sales. Using explicit UPNs is practical when an organization does not want to reveal its internal domain structure.

Windows Server 2008 supports the principle of the UPN suffix, first introduced in Windows Server 2003. This is the portion of the UPN to the right of the at (@) character. By default, the UPN suffix is the DNS domain name of the domain in which the user account is located.

Adding an alternative UPN suffix provides several advantages:

• You can use a common UPN suffix across all users in a forest. This is especially useful if some users have long domain names.
• The UPN suffix enables you to conceal the actual domain structure of the forest from external users.
• You can use separate UPN suffixes in situations where different divisions of a company have separate email domain names, thereby enabling users to log on with a name that matches their email address.

To define an alternative UPN suffix, access Active Directory Domains and Trusts from the Administrative Tools folder. Right-click Active Directory Domains and Trusts and click Properties. From the Properties dialog box shown in Figure 3-12, type the name of the alternative UPN suffix desired, click Add, and then click OK. After you have done this, the alternative UPN suffix is available when you are configuring new or existing user accounts. For more information on configuring user accounts, see Chapter 9.